A security researcher has demonstrated an exploit that works with a number of widely used anti-virus software packages, enabling attackers to circumvent the protection that anti-virus and anti-malware software is supposed to provide.
However, the exploit requires the attacker to have local administrative privileges.
The researcher, Florian Bogner, disclosed the proof-of-concept after notifying the vendors.
The weakness has been dubbed ‘AVGater’ by Bogner. It originally affected more than a dozen different widely used anti-virus programmes, although seven currently undisclosed anti-virus apps also suffer from the problem, he warns.
The companies that have already fixed their packages are: Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and Check Point’s ZoneAlarm.
In brief, the attack involved taking advantage of the way in which anti-virus software automatically quarantines files that appear malicious, and then use a privilege mismatch vulnerability to move that file to a more dangerous location, such as the root (C:) drive, where it can be executed.
“AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service.
“Hence, file system ACLs [Access Control Lists] can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system,” Bogner explained.
The end result of triggering these vulnerabilities is full control of a system for a local non-admin attacker.
While the other AV companies are still working on a fix for the potential vulenerability, it’s probably best for any network admins to ensure that regular users can’t restore files identified as threats, which sort of sounds like common sense anyway to be honest.
Save this article